chaseman Posted February 16, 2011 Share Posted February 16, 2011 I've noticed that some websites send you your own actual password with email once you clicked on recover or the known "Forgot Password?" link. Other websites simply send you a newly generated password which you can use to log in and then once you're logged in you can change the password again. I'm asking myself since you can not decrypt a password that has been inserted encrypted (with the sha1 function) into the database, how are they able to send you your actual password? I hope the passwords are not inserted un-encrypted into the database? Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted February 16, 2011 Share Posted February 16, 2011 Because SHA1, MD5, et. al. are not encryption methods, they are hashing algorithms. If a site is sending the actual password back when you request a forgotten password, they are either actually storing it encrypted, not hashed, or they're storing it in plain text. Quote Link to comment Share on other sites More sharing options...
chaseman Posted February 16, 2011 Author Share Posted February 16, 2011 Because SHA1, MD5, et. al. are not encryption methods, they are hashing algorithms. If a site is sending the actual password back when you request a forgotten password, they are either actually storing it encrypted, not hashed, or they're storing it in plain text. Oh that makes sense, thanks for clarifying. So that means instead of using the hashing method they rather use the encryption method and with that method they simply can decrypt the code before sending the actual password to the user, right? But that would also mean that the encryption method is not as secure because if they can decrypt it others can too, right? And plain text is of course even more insecure. Quote Link to comment Share on other sites More sharing options...
xylex Posted February 16, 2011 Share Posted February 16, 2011 I have yet to find a script that sends out e-mail plaintext but takes the time to implement two-way encryption in the database, so you can probably assume that they're saved plaintext. It's usually safe to say that when you find one huge security hole (sending plaintext passwords over totally insecure protocols would fall under this category), there's a lot more best practices that are being ignored. Quote Link to comment Share on other sites More sharing options...
chaseman Posted February 16, 2011 Author Share Posted February 16, 2011 xylex, that's something I always was suspicious of every time I got my password sent into my inbox in plain text, but I thought to myself why would somebody put their own business (their own baby) so insecure out there into the wild wild web? Is it because business people just don't know better and have no clue what's going on under the hood of their websites? But at the same time why do the programmers let this insecurity happen? Is it laziness or what is it? If I would program per hire for somebody I'd want my work to be as solid as possible. I think it's just one more example how the business world DOESN'T work how it's taught in the books. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted February 16, 2011 Share Posted February 16, 2011 Well, really you have to consider the data that's being stored. If it's just a username/password pair to a site that doesn't store other personal data, if someone gets the uname/pw combination, what do they really have? Pretty much nothing. A site that stores personal and/or financial inormation on the other hand, would need more security. Quote Link to comment Share on other sites More sharing options...
chaseman Posted February 16, 2011 Author Share Posted February 16, 2011 You're right about that, but that's not the actual problem though. The actual problem is, that many users use the same passwords for multiple websites. Imagine this scenario, you hacked yourself into the database of Twitter and you got this: User:emailpassword konopkovkonopkov@gmail.comw1ll3t Do you notice something? Now, you don't just have the user's password for his Twitter account, you may also have it for his Gmail account. Amazon asks only for a email/password combination, you may go ahead and give it a try, the chance of hitting the jackpot is not that low. Not every user uses difficult passwords for important websites and less difficult passwords for less important sites like internet savvy users as us may do. So you may give it a try and go ahead to see if the user uses the email address for his PayPal account with the same password. And with one catch you got like 5-6 flies lol. It's a chain reaction. But if you hack yourself into Twitter's database and all you get is this: User:emailpassword konopkovkonopkov@gmail.com34n0vn58043hbn3453nb5743805bn Which is a hashed password, then there's not much you can do. It's a simple step to implement a sha1 function, and at the same time it's a surprise to me that many don't do it. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted February 16, 2011 Share Posted February 16, 2011 Yeah, as I said, it depends on the data being stored . . . Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.